Listening ports

[WheeDoggy]

Is there a way to stop this?

An application goes out on port N tcp.

At completion of comm, and after the app has terminated, port N remains listening until reboot.

This occurs sporadically on outbound random ports and is in no way related to any trojan.

Any ideas?

Thanks

 

[WheeDoggy]

Let me try another angle:

One Example:

Surfing the web with IE.

xxx.xxx.xxx.xxx:1616 yyy.yyy.yyy.yyy:80

After communication is finished and closes I am left with
0.0.0.0.:1616 0.0.0.0:0 Listening
until after reboot.

As said before, this occurs sporadically and at different local send ports. Trojans pretty much ruled out.

Could someone please shed some light on this?

 

[pansophic]

I doubt that the port is actually listening, but if you really are concerned about it, try running nmap against the computer when you get it in this state to see if it will accept an incoming connection.

I know that the Apache web server has some similar issues when a connection has been abnormally ended, but other than resource consumption, there isn't any real problem present.

Let us know what the nmap response is.
pansophic

 

[WheeDoggy]

Hi Pansophic,

Thanks for the reply.

One slightly disturbing thing here.

Normally ports are stealthed. However, this "phenom" illicits a "port_closed" response from the machine.

If scanned on the net, it's kind of like being the invisible man wearing a fig leaf!

Know of any links or "fix" for M$ Winsock2+/Win98?

Thanks & regards

 

[pansophic]

Actually, it is not really a problem. You cannot connect to a closed port, it just makes the scan go a little faster. A stealthed port doesn't respond at all, and a closed port responds with a RST flagged packet.

But it would be nice to know what is causing it. Have you tried to test it without running your personal firewall? Like behind some other firewall?
pansophic

 

[WheeDoggy]

That's the point I was trying to make.....

Lately, there has been alot of scanning going on killing some bandwidth and a RST basically tells someone that there is in fact someone out here on IP xxx.xxx.xxx.xxx, which may draw more extensive scanning. Whereas otherwise, the IP would probably at least later be ignored by whoever was originally scanning. Too many bored script kiddies around who have learned how to use port scanners and don't even know what 300 baud was like. (Unless they use AOL )

Is there a decent alternative soft firewall out there that you could recommend? I have seen and heard negatives written about most of the populars and would have difficulty in deciding.

Thanks & regards

 

[NickFerrar]

It's unlikely a port-scanning script kiddie would go after a PC with closed ports - they just look for things like netbios ports open. Of course a more determined/knowledgeable hacker could but I just prefer to rely on the fact I'm irrelevant in the context of the millions of other Internet users out their

Also if you have a firewall doing NAT or specifically port blocking inbound ports it's a lot harder to exploit such things. Personally I rely on the hardware firewall on my router and an up-to-date virus scanner. Of the software firewalls out there Kerio seems to have a lot of followers among the more technically-aware crowd (as opposed to the novice user who'll usually end up with Zone Alarm or something).

 

[WheeDoggy]

Hi Nick,

I had a great belly laugh regarding the novice Zone Alarm remark.

My brother in law was over and saw me making the previous post and he suggested Zone Alarm.
PS He's one of those people who doesn't know what he's doing and likes to "tinker" around with configs - Then call someone begging for help after he's screwed up his PC (usually me! :-( )

Anyway, thanks for the reply. I will look into Kerio but I know that I need to break down and buy a router.

Regards

 

[NickFerrar]

ZA is good against Trojan's IMO - apart from some recent ones which disable ZA... It just doesn't give you enough control to trust as a firewall.

 

[WheeDoggy]

So I guess no MD5 check like Kerio?